Privacy Notice – Fabrication Lab
The University of Westminster takes its data protection obligations very seriously. Access to any personal information you give us when registering to be a user of the Fabrication Lab or captured on our CCTV or similar surveillance systems is subject to a staff confidentiality agreement. Access to your personal information is limited by permissions to only those staff who need access to manage your use of our facilities and in compliance with the General Data Protection Regulation and the Data Protection Act 2018.
This privacy notice explains what we do with your personal information, your rights and how we protect it.
All University staff and students can register to use the Fabrication Lab. When you do so, we will usually collect only the following information from you:
- Your name and your student or staff identification number
- School or staff department
- Your contact information, including email and phone number
- Course of study, year of study, if applicable
- Whether you have a health issue that should be considered in relation to your use of the Fabrication Lab
In the course of your use of the Fab Lab, we may collect additionally your:
- Fabrication Lab training records
- Equipment loans
- Payment information
- Visit records
- CCTV and other surveillance data
- Personal health information if relevant
Use of your personal data
If you have registered to use the Fabrication Laboratory, we hold this information to enable us to process your registration and to permit us to provide you with access to and safe usage of our laboratory facilities. We use your personal data to:
- Contact you
- Manage and deliver required personal training
- Give you access to the Fabrication Lab and authorised use of our equipment
- Manage the hiring and loaning of equipment and any related payment processes
- Compile statistics and reports to help manage and improve our operations.
Legal basis for processing and retention
Additionally, we will, in the public interest of health and safety and to prevent and detect crime, potentially capture your agreed use of the Fab Lab on our CCTV and similar surveillance systems.
See here for the Fabrication Lab CCTV policy – Needs link.
We will also compile aggregate statistics related to the use of the Fabrication Lab from time to time, in order to review and improve our operations. If we share these with colleagues, no individuals will be identifiable.
CCTV and similar surveillance data will only be retained for 28 days.
Other personal data will be kept for as long as required for business use or no longer than six years after your last use of the Fabrication lab.
Special category personal data
In most circumstances the Fabrication Lab will not gather or require you to give us any sensitive personal data to register or use the Lab, unless you have a health issue that should be considered in relation to your use of the Fabrication Lab and its facilities and equipment.
In such a case, your personal health information will be processed in strict confidentiality and with your explicit consent.
Staying in touch
We will use your contact details in relation to arranging our required training and any loan of equipment.
We will not use your personal information to send you marketing communications by email or text, unless you have agreed to receive such information that may be relevant to you. You will always be given the option to stop receiving such communications.
Profiling and automated decision making
The Fabrication Lab do not have any automated decision-making processes – that is, decisions made by computer without human intervention – related to the registration and use of our Lab.
Data transfers and sharing
None of your personal information is shared by the University with any other third party organisation, other than where this is necessary for the provision of a service you have agreed to, or where otherwise allowed by UK law.
Where services involve a third party processing your information, such services will be covered by a contract, and details of the services and the legal mechanism for any data transfers outside the EU and EEA can be initially requested from: The Fabrication Lab Director D.Scott@westminster.ac.uk
If you have any questions relating to your personal information and your information rights, including right of access, rectification and erasure, please see the University’s data protection web pages.
Or contact the University Information Compliance Team firstname.lastname@example.org.
You can also contact the Information Commissioners’ Office in relation to any concerns or issue you may have with the processing of your personal information.
CCTV and surveillance camera policy
The University of Westminster’s Fabrication Laboratory is located at our Marylebone building 35, Marylebone Road London NW1 5LS.
The Fabrication Laboratory is committed to ensuring that Closed-Circuit Television (CCTV) and similar surveillance technology is used appropriately in the laboratory to promote safety and prevent and detect crime and is managed in compliance with the General Data Protection Regulation and the Data Protection Act 2018.
Negligent or malicious non-compliance with this policy may be dealt with through the disciplinary process.
The ICO CCTV Code of Practice is the University’s legislative guide for our use of these systems.
We also have regard to the Surveillance Camera Code of Practice issued by the Surveillance Camera Commissioner under the Protection of Freedoms Act 2012. (While it is only binding on English and Welsh police forces and local authorities, it provides useful principles for all users of CCTV.)
- The University Senior Information Risk Owner (SIRO) has overall responsibility for ensuring compliance with this policy. This role is currently undertaken by the University Secretary and COO;
- The Fabrication Laboratory CCTV System Owner has management oversight of the Fabrication Laboratory’s use of CCTV and similar surveillance technology in that location;
- The Fabrication Laboratory Manager has day-to-day responsibility for ensuring compliance with this policy, and advising the organisation on the operation of the CCTV system;
- The Information Compliance Manager has responsibility for advising the organisation on data protection matters and meeting data subject’s rights
- All colleagues are responsible for understanding and complying with relevant policies and procedures for securing the organisation’s information assets, and for immediately reporting any event or breach affecting information assets of the organisation.
Purposes of our CCTV
The organisation uses CCTV in the on its premises for the purposes of:
- The health and safety of staff, students and visitors in all areas of the Fabrication Laboratory
- The prevention and detection of crime;
- In formal cases of alleged misconduct.
- The settlement of insurance claims;
CCTV will not be used for the ongoing monitoring of staff performance and timeliness.
The CCTV system will not be used for covert surveillance.
Any new use or substantial extension of the use of CCTV or camera-based surveillance technology will be subject to a Data Protection Impact Assessment, in particular considering the necessity and proportionality of its use.
Siting and coverage of surveillance cameras will be kept under review to ensure the system is effective while minimising intrusion and impact on privacy of staff and visitors.
Operation of the CCTV systems will be documented in a procedures manual detailing appropriate use and management and the Fabrication Laboratory Manager and all staff with direct access to the system will receive appropriate training.
Operation of the CCTV systems will be subject to daily routine checks by the Fabrication Laboratory Manager or their deputy to ensure correct operation and appropriate image quality. All CCTV systems will be subject to annual review by the Fabrication Laboratory CCTV System Owner and Information Compliance Manager to assure the organisation that they are still necessary, proportionate and fit-for-purpose.
Any external suppliers providing CCTV services will be subject to a written GDPR-compliant contract with the Information Compliance Manager providing guidance on data protection..
Appropriate and visible signage will be displayed in the Fabrication Laboratory on the use of surveillance cameras, with the contact details for the Fabrication Security Manager clearly visible.
Our use of CCTV and surveillance technologies will be included in our Records of Data Processing Activity (under article 30 of GDPR) and in our data protection Privacy Notices.
Retention of CCTV images
CCTV footage will be securely deleted after 28 days. Where CCTV footage has been captured for use in investigating or reporting an incident, the extracted footage will be retained securely as part of the relevant record for the appropriate period.
Access to surveillance images
All operational requests from within the organisation to access CCTV images will be forwarded to the Fabrication Laboratory Manager, for consideration, in liaison with the Information Compliance Manager, and all decisions will be documented.
Police requests for access will be dealt with by the Information Compliance Manger, with the assistance of the Fabrication Laboratory Manager, and consideration given on receipt of an appropriate written request. Contact email@example.com
Subject access requests and other rights requests from individuals for their own CCTV images will be forwarded immediately to the Information Compliance Manager to be dealt with under the Data Protection Policy. Contact firstname.lastname@example.org
All other third party access requests (from insurance companies, lawyers and others) will be forwarded to the Fabrication Laboratory Manager for consideration and decisions will be documented.
Access to CCTV controls and monitors and to the servers and media containing surveillance images will be appropriately secured through encryption of devices and media, firewall protection of the servers, user account access controls and physical security for the control area. The system will be secured against hardware attack and backed up appropriately.
If you have any questions about this policy, please contact:
Fabrication Laboratory Manager
David Scott – Fabrication Laboratory DCDI
35, Marylebone Road London NW1 5LS.
|Title||Fabrication Lab CCTV Policy June 2019|
|Authors||M. Bacon and D. Scott|
|Review Date||June 2020|
|Version History||1st Draft|
Last reviewed and updated October 2019 – DRAFT